PoC Released for Apple 0-Day RCE Bug – Active Exploits Confirmed

Apple’s latest security patch cycle has addressed what experts are calling one of the most critical image-processing vulnerabilities in recent memory: CVE-2025-43300.

This flaw arises in the RawCamera.bundle, a component responsible for handling Adobe’s DNG (Digital Negative) files, and enables zero-click arbitrary code execution simply by previewing a maliciously crafted image.

Apple confirmed that the exploit has been observed in highly targeted attacks, underscoring its severity.

The vulnerability arises from a mismatch between the declared metadata in TIFF/DNG structures and the actual component count in JPEG Lossless streams, resulting in an out-of-bounds write condition.

The Mechanics of the Exploit

At its core, the bug exploits inconsistencies between metadata definition and image data reality.

A malicious DNG file falsely declares two samples per pixel in its SamplesPerPixel tag while embedding JPEG Lossless data marked with only one component via its SOF3 (Start of Frame 3) marker.

When Apple’s decompression code attempts to reconcile this contradiction, it writes past allocated memory boundaries, precisely the kind of mistake that well-funded adversaries weaponize into reliable remote code execution (RCE) payloads.

The vulnerability is highly dangerous for three reasons:

1. Zero-click exploitation – the file is processed automatically when received via iMessage or other apps without user interaction.
2. Silent compromise – exploitation occurs during preview rendering, leaving the victim unaware.
3. Broad platform coverage – affecting multiple iOS and macOS versions in the attack surface.

Apple Patches for CVE-2025-43300

Advisories urge administrators and individual users alike to patch immediately, given the exploit’s stealthy nature.

Mitigation and Detection Strategies

Patching remains the first line of defense.

Yet, the subtlety of CVE-2025-43300 necessitates additional safeguards, particularly in enterprise networks where delayed patching remains common.

Security researcher Matthieu Suiche, leveraging prior community analysis, released ELEGANT BOUNCER, an open-source Rust-based detection tool. The tool:

• Parses TIFF/DNG structures for inconsistencies between metadata and embedded JPEG markers.
• Flags suspicious cases where SamplesPerPixel = 2 but SOF3 component count = 1.
• Helps researchers and defenders preemptively block malicious image payloads before they reach Apple’s parsing routines.

Enterprises are encouraged to deploy validation pipelines for untrusted DNG files and disable automatic previews in messaging and collaboration tools where feasible.

Industry experts stress that CVE-2025-43300 is another reminder of how “complexity breeds insecurity.”

The convergence of multiple standards – TIFF, JPEG, and proprietary bundle implementations – opens unanticipated vulnerabilities even in mature ecosystems like Apple’s.

Key Takeaways

• CVE-2025-43300 is weaponized – Apple confirmed exploitation in the wild.
• Zero-click RCE – requires no user action, triggering silently during image preview.
• Wide device coverage – iOS, iPadOS, and three major macOS versions.
• Defense requires both patching and detection – combining Apple’s updates with proactive scanning tools like ELEGANT BOUNCER.
• A reminder of file parsing dangers – complex specifications remain a popular hunting ground for attackers.

As with other zero-click vulnerabilities, the danger lies not only in its technical precision but in its ability to bypass user agency altogether.

For defenders, that means vigilance must go beyond reactive patching and toward layered defenses capable of anticipating the next elegant exploit hidden in something as ordinary as a photograph.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates